Known Desktop Applications (AppLocker) Policy

AppLocker is a Microsoft technology that allows administrators to control which applications are allowed to run in order to prevent the launching or installation of malicious software.

Policy

AppLocker will be used to secure college-managed computers that have a supported version of the Windows Operating System. AppLocker rules will be configured to block malware and allow applications required for academic and business purposes. A best effort will be made to allow other applications requested by users if the application does not pose a security risk and if a rule to allow it can be configured in a secure manner.

Procedures

If you receive the message “Your system administrator has blocked you from running this program”, it is most likely because the application does not match an AppLocker rule that would allow it to run. If you receive the message, please open a work order or call the helpdesk to let us know.

If you do not recognize the program name and location, your computer could have malicious software or it could simply be a benign application, like an auto-updater, trying to run.

If the application is something you are trying to open and want, please provide us some details so we can determine if we can create a rule to allow it. Basic information like the name of the software, its purpose, why you need it, and any other information you believe to be relevant is enough to begin a review.

Considerations

Applications that run from standard locations, like the Program Files or Windows directories, are automatically permitted to run, so do not require any special permissions. However, applications that run from any location within a user directory need to have a rule created to allow them to run (e.g. C:\Users\first.last\AppData\). Most publishers now sign their applications with a digital certificate that can be used to verify that the software comes from a legitimate developer. Signed applications that are not malicious can usually be granted permission to run. However, some developers do not sign their applications. If an application is unsigned and its executables reside within a user-writable directory, it might not be possible to securely configure a rule to allow it, so a request to allow it may have to be denied.